This is a somewhat standard buffer overflow. The buffer is 512 bytes long, but safe checks aren’t done to make sure it doesn’t go past that size. I tried using the Metasploit Framework’s pattern_create.rb, however, due to the fact that the buffer is having a “toupper()” done on it, it won’t find it. I had to do it manually, by just splitting an array into “a” and “b” segments, and adjusting the sizes each time. I found that the offset was at 532 bytes with the following code:

From this, we can see that the final buffer, after the “toupper()” and “strdup()” is located at 0xbffffab8. We now have the option of putting the shellcode before or after the return address.

Before

I setup a quick python script to use the offset of 532 bytes, added a little bit of a nop sled and shellcode. Since the code uses a “toupper()”, the shellcode can’t contain any lowercase letters. I luckily was able to find some shellcode that suits this scenario perfectly here.

After

When putting the shellcode after the return address, we don’t have to worry about the “toupper()” function. I simply used the Metasploit Framework’s msfpayload and msfencode functions to generate a basic bind shell.

This script is pretty simple, just getting to the return address, and then adding a nop sled, and the shellcode afterwards. It just needs to have a return address to the shellcode, which we can then find using gdb.

Conclusion

It turns out there is always more than one way to skin a cat. I’m learning the same applies to exploit development. One could try to make this portable by doing relative jumps with offsets, and ret2libc. I did not do this, as it wasn’t specifically part of the exercise. However, I may come back to it later for fun.